Ransomware: the never-ending story

Posted by Austin Morris on UTC 2017-06-16 11:21.

Another day, another ransomware attack. This time not WannaCry and not
spread through publicly exposed file-sharing ports. Just a web page, possibly with
a click-away popup that executed the malicious code on the user's
machine, or possibly just a link to that page in an email.
The situation is not completely clear at the time of writing.

The victims are not just any users, either, but the great brains in
University College London (UCL), which also happens to host one of the
leading computer science faculties in the UK.

It was thought at first that around mid-day on Wednesday 14 June a
number of people in UCL each opened an email and triggered the
ransomware payload carried in an attachment. The infection spread from
there and encrypted a number of local and network drives.

It now turns out that the infection was started by one or more users
visiting a website that had been compromised; just visiting the site may
have been enough, or visitors may have had to click on a link or dismiss
a popup. The link to this website seems to have been distributed via
email.

Fortunately the sysadmins seem to have been quick off the mark and shut
down the system, thus preventing a catastrophic spread and enabling an
orderly recovery (although some data will have been lost).
Despite the apparent rapid response by UCL, the consequences of the
attack were not trivial. They are still being tackled two days later.

We can only assume that UCL has top people running its system and
that it has state-of-the-art virus detection that would be expected to block the
execution of a malware package, whether from an email attachment or a
browser. How did this happen, then?

Either because of simple incompetence – the antivirus system was not loaded with the latest definitions – or the malware was as yet unknown
to the antivirus system, in which case it will pass all checks. This
phase of initial ignorance is the Achilles heel of all antivirus
software. Only after the malware has spread to enough victims and has
been identified by the producers as a threat, analysed and its
'signature' put on the blacklist used by the antivirus software are
users finally protected – assuming, of course, that they have kept their anti-virus sofware up to date.

The UCL report on the incident suggests the latter, of course, but goes on
to talk darkly of a 'zero-day attack'. The very use by UCL of such
nonsensical terminology points us back to incompetence as the reason for the failure.

A 'zero-day' exploit or vulnerability is a security weakness in a
software that has just been discovered but not yet fixed. From the
moment of its discovery the clock is ticking for the authors of the
software to issue a patch that removes the vulnerability. We might
change the rather peculiar term 'zero-day vulnerability' into 'known but
unpatched vulnerability', to make it completely clear.

What the incompetents at UCL really mean is '[t]he virus checkers did not
show any suspicious activity', which has nothing really to do with zero-day
attacks. The infection is just a malware mutant with a new signature that was
invisible to their virus checkers. If this really were a 'zero-day attack'
alarm bells should be ringing throughout the computer world.

Such muddled thinking means that our assumption that UCL has top people running its system seems to be wrong.

Lessons learned

Time to repeat the key lessons from our piece on WannaCry:

Back up your data to offline storage frequently. That is your only serious form of protection.

Don't rely on anti-virus software: it protects you against historical malware, not new attackers.

Be suspicious of all emails and extremely suspicious if the email contains links (any links at all) and/or attachments.

Website-launched malware

If you surf on the wild side of the web you are at great risk from
malicious websites. But even legitimate websites can be compromised
without their owners' knowledge. You don't necessarily need to do
anything specific to be infected.

If there is the slightest doubt, before you click on a link hover over it and
check the real destination, usually shown in the browser's status bar.
Surely every browser user knows by now that the text of the link displayed on the
screen has no necessary relationship to the destination of the link.

Never click on a link that runs a JavaScript program. About 20 years ago
web designers liked to show how smart they were by handling links and
navigation with JavaScript code. A few idiots and some elderly websites
still do this, though.

There is a current plague of displaying popups that nag users to
subscribe to emails, sign up as a registered user or buy t-shirts or
coffee mugs, particularly on US websites. This practice is not just
annoying but foolishly dangerous.

Except for the most credible popups,
never assume that the cancel button or even the X at the top right will
do what they are supposed to. Some wicked sites even display the popup
as a modal window, which means that nothing more can be done in the
browser until you have clicked the response. The only escape is to open
Task Manager by right-clicking on the taskbar then terminating the
browser completely. Task Manager is your friend.

An up-to-date antivirus program may save you, but don't bank on it.
The only reliable solutions are the three listed above.